Recent Advances in Security and Privacy for Wireless Sensor Networks 2016View this Special Issue
A Lightweight Authentication and Key Management Scheme for Wireless Sensor Networks
Security problem is one of the most popular research fields in wireless sensor networks for both the application requirement and the resource-constrained essence. An effective and lightweight Authentication and Key Management Scheme (AKMS) is proposed in this paper to solve the problem of malicious nodes occurring in the process of networking and to offer a high level of security with low cost. For the condition that the mobile sensor nodes need to be authenticated, the keys in AKMS will be dynamically generated and adopted for security protection. Even when the keys are being compromised or captured, the attackers can neither use the previous keys nor misuse the authenticated nodes to cheat. Simulation results show that the proposed scheme provides more efficient security with less energy consumption for wireless sensor networks especially with mobile sensors.
Wireless sensor networks (WSNs)  consist of a large number of nodes in a self-organized manner, where there are no central control nodes, and the nodes lying out of the transmitting range can communicate in a multihop way. As the wireless sensor network is independent of the predeploy infrastructure, it has broad application prospects in the battlefield environment, disaster relief, and environmental threats exploration, which make the security and efficiency the most basic requirements and the most popular research areas .
The characteristics of wireless sensor networks determine the network security threats, the security systems, and security algorithms that are quite different from those in traditional networks , and the traditional network security systems and security algorithms cannot be introduced directly. Meanwhile, the inherent essence of limited storage space, computational capabilities , bandwidth, and communication energy does not make the computational data encryption and public key cryptography based on the traditional cryptographic techniques adapt to wireless sensor networks. The security system and algorithm for WSN are mainly focused on in this paper to design an effective Authentication and Key Management Scheme with low computing and energy cost.
2. Related Work
With the development of security technology in wireless sensor networks, the research on routing protocols has been increasing in recent years. This section describes the three existing master key-based key management protocols: LOCK , SPINS , and BROSK . These protocols have been widely discussed in this area.
The Localized Combinatorial Keying (LOCK) proposed by Eltoweissy is an Exclusion-Based Systems (EBS) dynamic key management approach for cluster-based sensor networks. LOCK takes use of three keys, including the administrative key, the group session key, and the cluster session key. A special node selected by the cluster head is called a key generation node and will perform a key generation process. LOCK is for static networks. But the proposed scheme in this paper will be suitable for dynamic networks.
SPINS is a famous security framework for wireless sensor networks. Although it contains two protocols, SNEP and TESLA, which are used to achieve the confidentiality and authentication of data broadcasting, respectively, we will concentrate on the key agreement protocols .
BROSK can be considered as a more recent ad hoc key agreement protocol compared to SPINS. There are no trusted parties or servers in this scheme, in which each node negotiates the session key directly with its neighbor node by broadcasting key agreement message.
3. Network Model and Key Generation
This part briefly introduces the network model, the importance of authentication, and the idea of CPK system based on ECC.
3.1. Network Model
The members of wireless sensor network are BS (base station), CH (cluster head), and resource-constrained nodes, which are deployed in a geographical area to perform some special monitoring functions. In most applications, especially for large scale deployment, the sensors are arranged in multiple static clusters, as shown in Figure 1. The members’ changing makes the authentication and key management always a key research point in wireless network. Considering the resource-constrained essence of WSN, a lightweight scheme is badly needed, which keeps the key changeless to save the limited energy. Many applications, however, require the mobility of network nodes to support. In such a mobile sensor network, there will be always the condition that a node from an existing cluster moves into another cluster. The separated nodes may be the cluster heads or cluster members. The main reason causing the changes in cluster heads and cluster members is the mobility. The mobility of nodes together with the transient nature of the wireless media often leads to a highly dynamic network topology. In this case, security protection with moving sensors must be incorporated into wireless sensor network.
Authentication is one of the security practices to verify the identity of the sensor nodes. Public key cryptography is a popular way to provide authentication for WSN. Though the easy design and effective operation make it attractive, the disadvantage of more energy requirement greatly restricts the network performance. Thus, the sensor node has to use elliptic curve digital signature algorithm to generate a digital signature authentication. The combination of pairwise, global key, cluster key, and preloaded secret information is also used to verify the sensor nodes in the network. The node mobility will lead to random topology changes, which affects the security of mobile sensor networks. The lightweight Authentication and Key Management Scheme (AKMS) proposed in this paper will adopt a Hash Message Authentication Code (HMAC) algorithm  and a Combined Public Key (CPK) password system based on ECC to authenticate the moving nodes within the network effectively.
Sensor network has many features that make them more vulnerable to attack than the traditional computing devices. For example, the nature of the broadcasting allows the information to be intercepted, eavesdropped on, tampered with, or exchanged easily. Besides suffering the same threats with the conventional wireless networks, WSN is vulnerable to resource depletion attacks, which attempt to run out of resources, such as node battery and network bandwidth, and causes more damage. Finally, most devices in WSN cannot be tamper-resistant typically, which facilitates the physical manipulation and keys being stolen. To approach the real condition, the attack model is assumed as follows:(1)The sensors are not tamper-resistant, so an attacker is able to access the stored information and the keys in the node storage directly.(2)The attackers may appear not only before the network deployment but also during all the network life cycle without any assumptions about the quantity or the physical location of the attackers.(3)The attackers may easily intercept and modify the exchanged information among the network nodes.
3.2. The Idea of CPK System Based on ECC
Combined Public Key (CPK) password system based on ECC is a way of authentication based on the identity. According to the mathematical principle of elliptic curve discrete logarithm, we build public key matrix and private key matrix and use the hash function to map the entity’s identity for the row and column coordinates sequence of the matrix; it is used for the selection and combination of matrix element, and it can generate a large number of public and private key pairs, so as to realize the large scale of identity-based key generation and distribution. Entity nodes need to know each other’s identity to calculate its public key, which can easily achieve authentication and security features. Among them, identify key is generated by the entity’s identity through combination matrix. The CPK system based on ECC has the following advantages.(1)In wireless sensor network (WSN), the only legitimate nodes have the private key, and, according to the other identity ID and segmentation key, we can calculate the other Combined Public Keys (CPK), so the simple and efficient authentication process can be realized without the participation of the third party.(2)The CPK system based on ECC can combine large public/private key pair through a small amount of public/private key matrix; nodes only need to store a small matrix to achieve a large number of nodes' security authentication in the network.
Point multiplication operation is the foundation of CPK algorithm. ECC Signature Algorithm (ECDSA) is the elliptic curve version of digital signature algorithm (DSA); it is the basis for the CPK digital signature algorithm. This paper adopts ECC algorithms based on Montgomery type curve . We use point multiplication operation of Montgomery type elliptic curve and the binary shift NAF coding algorithm to solve the large amount of calculation generated by ECC point multiplication. We use the point addition and times point fast operation where the value of is not calculated to avoid modular inversion algorithm under the projective coordinates.
Point addition formula is as follows:
Times point formula is as follows:
Calculating coordinates of the times point of point in projective coordinates, where “” denotes mapping and (S1) means step , the specific algorithm is as follows: (S1) ; (S2) Calculate the integer: (S3) If , then jump to (S12), else go to (S4); (S4) ; (S5) If , then go to (S6), else jump to (S9). (S6) Calculate the integer: (S7) Calculate the integer: (S8) Jump to (S3); (S9) Calculate the integer; (S10) Calculate the integer: (S11) Jump to (S3): (S12) Output integer , , as corresponding , .
4. Proposed Authentication and Key Management Scheme
The lightweight AKMS proposed in this paper consists of three main phases: key predistribution phase, network initialization phase, and authentication protocol. The first phase is enabled before the nodes are being deployed. The second phase sets the security of network, and it is enabled during the network deployment. The last phase is enabled when a new node joins the network with the previous stage being over.
4.1. Key Predistribution Phase
Key predistribution phase is a key step for dynamic key management with moving nodes in WSN. For reasons of clarity, the symbols used in this paper are listed in the Notations.
In this phase, a network-wide symmetric master key will be generated and stored securely. This key should be long enough to destroy the common attack, namely, a minimum of 128 bits. During the networking stage, each node is preinstalled with an initial authenticator. The th cycle authenticator can be used by a node to identify another node, the superscript symbol of which indicates the cycle where the authenticator takes. It consists of the random number of tuples and the results of using a keyed-hash function with the current authentication key over them.
During the first authentication cycle, the authentication key is equal to the master key before the deployment; therefore
In general, the authentication key of the first cycle is ; then the authenticator set is
when the tuples are exhausted at this time, the authenticator will transmit to the next cycle.
4.2. Network Initialization Phase
This phase is enabled during the network deployment. In such operating environment, each node can find its neighbors within the communication range. Specific steps are as follows:(1)Each node generates its unique symmetric key by the CPK system based on ECC, , called the node encryption key, which is obtained by generating a random number and performing . For example, the encryption key of some node can be calculated as .(2)For a very short time, each node broadcasts its random value with the unit as seconds . In this way, the attackers listening to the broadcast communication will get the random values.(3)Each node receives a random value from its neighbor node and uses common master key to calculate their encryption key. In this case, each node will store a list of paired keys of its neighbor nodes.(4)Each node hashes the common master key and keeps it with the first forms of authentication key as , for the easy reason that storing master key in node’s storage space has great potential danger if a node is captured. This is mainly because of the existence of the authenticator, which will help to authenticate other nodes and to verify the information of common master key without storing master key.(5)In this stage, each node stores its encryption key , the set of encryption keys of its neighbor nodes, and the keys of the next authentication cycle , which is hash function of the master key and the current authenticator, consisting of the set of tuples.(6)Now, the node begins to communicate with other nodes using the encryption key in pair.
4.3. Authentication Operator
Authentication operation is used for network nodes to authenticate each other. The operator’s goal is to provide the ability to verify the new node in the network once the deployment phase of nodes is over. Retaining the master key in the node internal memory could cause the whole network security to be damaged. To avoid this situation, AKMS precalculates the necessary authentication material (excitation/response tuple) and the authentication key which will be deleted later. Therefore, the new node will be verified by the knowledge of the authentication key without being stored in the memory. As mentioned above, the authentication operation will adopt two encryption primitives, as the excitation/response scheme  and the key chain .
4.3.1. Authenticator Generation
The authentication of any cycle is constructed from the keys of the previous cycle . In this way, the node can verify the master key, because the authentication key of the cycle can only be derived rather than storing the master key itself. If a node is destroyed, the attacker will only obtain the identity of the current cycle but not compromise the authentication and the exchange of keys performed using the previous cycles of the authenticator. As a node runs out of authenticators’ instances, it will simply generate a new set; that is, it will start a new cycle of the authenticators set. The cycle should be composed of the following steps:(1)A new authenticators set with tuples of random numbers is calculated and the current authentication key is applied to each of them to obtain(2)The current authentication key is updated and hashed to obtain(3)The new key is generated by
4.3.2. Implementation Issues
Each of these tuples has a status label to describe its current status in the authentication process. The possible values of status are as follows: UNUSED: the tuple is unused ASSIGNED: the tuple is temporarily assigned to a node in an ongoing process of authentication; if the process fails, the label will change to UNUSED, and the tuple can be used again USED: the tuple is used in a successful authentication process, which cannot be adopted by any other processes; in this way, the replay attack will be avoided efficiently
In addition to these labels, there is another domain in authenticator structure, called the current tuple index denoted as to store the first UNUSED tuple, which will increase when each tuple changes its status from UNUSED to ASSIGNED.
Finally, another important issue to be analyzed is the size of the authenticator . As a system parameter, the value of should be carefully set according to the number of nodes and the moving rate. Of course, if the network status is changing dramatically, the value of will be adjusted dynamically. A typical value of is about 10, which is relatively reasonable taking into account the expected authentication rate and the number of the neighbor nodes in such a network .
Although it has no direct security consequences, a very small value of may cause some performance problems if the network has a high new nodes ingress rate. In order to avoid these drawbacks, a new authentication cycle has to be calculated .
An example in Table 1 includes the values of the second authentication cycle. There is in this situation. From the value of the current tuple index , it can be inferred that the authenticator has carried out two successful authentications.
4.4. Authentication Protocol
A new node, , wants to join in the network; excitation/response based mutual authentication protocol will be performed after deployment . As a new node, node can be regarded as the node first entering into the network in some certain sense, so the authenticator will be the first cycle . Assuming node is the authentication node to node , which can be adopted at any cycle j, the authentication protocol between node and node can be described as follows:(1)Node produces an excitation to node by generating a random number . Then, it will send a message to node with the following format:(2)After receiving from node , node will perform the following operations:(i)to open the first unused tuple and mark it by the current tuple index , so as to extract the corresponding random number and the random pair , as well as change the status label of tuple from UNUSED to ASSIGNED;(ii)to respond to an excitation from node using the defined keyed-function with over the excitation to obtain ;(iii)to recover its own encryption keys and the ciphers of the current authentication key to obtain ;(iv)to restore the current cycle of authenticator for the later synchronization with node and send the message to node with the following format:(3)After receiving from node , node will perform the following operations:(i)to calculate the current cycle of node (node is considered to be a new node, so the current cycle is 1; therefore node needs to perform times hash over to obtain to synchronize with node );(ii)to check whether the response from node is correct or not by comparing its own computation with the received value (passing the checks means node has demonstrated the original master key and is successfully authenticated);(iii)to calculate the imaginary part of the excitation to obtain ;(iv)to generate its own encryption key and the ciphers of the current authentication key so as to obtain ;(v)to send the message to node with the following format:(4)Finally, after receiving from node , node will compare each response of the authenticator in use with the status label :(i)if they are equal, the status label is changed from ASSINGED to USED, and the new joining node is authenticated to access the network;(ii)if they are not equal, the status label is changed to UNUSED again, which means the new joining node fails in authentication and is not allowed to access the network.
The whole information exchange process can be summarized as in Figure 2.
Being observed in steps () and (), this exchange process provides simple key establishment procedures and effective transfers of the appropriate encryption key or to the corresponding groups.
Figure 2 shows a full implementation example of the proposed authentication scheme. Node and node are regarded as the requester and the authenticator, respectively. The authentication parameters of node are and , which means that the authenticator is in the third cycle and two tuples have been successfully used. Node is a new node, so its authenticator is in the first cycle.
5. Performance Evaluations
In this section, the performance of AKMS will be evaluated and analyzed in terms of the average packet delivery rate, the average energy consumption, and the networking success rate with different types of attackers.
5.1. Simulation Settings
The performance of AKMS proposed in this paper is assessed by NS2 . The simulations have been carried out 20 times in different scenarios with the results being averaged for each . The simulation parameters are shown in Table 2.
5.2. Simulation Results
The number of nodes remains 200 with the number of attackers being 5, 10, 15, 20, and 25, respectively . Firstly, the average packet delivery rate (PDR) of AKMS is simulated compared with that of LOCK, SPINS, and BROSK, and the results are shown in Figure 3. Because of the bidirectional malware detection technology to eliminate malicious node cluster members and CH, AKMS will reduce the error packets effectively, so as to be able to send more legitimate packets to the destination compared to other schemes. Besides, AKMS adopts multipath propagation routing technology to eliminate the selective forwarding attacks, which makes the PDR even higher.
Secondly, the average energy consumption of all the nodes is measured during transmission, including the energy consumption by sending, receiving, and calculating. Figure 4 shows the average energy consumption comparisons of AKMS, LOCK, SPINS, and BROSK. When the number of attackers is growing, the average energy consumption will also increase. This is because the increasing attackers will cause more error packets. CH will filter out error packets based on AKMS to avoid the spreading of the packets from attackers throughout the network, so as to reduce the energy consumption. In LOCK, the CH node must initiate the key updating if it is captured. A new CH is selected as the new BS, and it will distribute new keys to its cluster members with the help of key generation node (KGN) , which will consume more energy.
Thirdly, the impact of network resilience ability has been analyzed and evaluated by the percentage of successful networking in the network of 500 nodes with 25% being the attacker. Three types of attack scenarios are set with only static attackers, only mobile attacker, and combination of both, and the simulating results are shown in Figures 5(a), 5(b), and 5(c), respectively. AKMS will detect the malicious nodes and exclude them from the network to avoid them participating in the network activities. Moreover, network environment variation based dynamic key scheme makes it difficult for the attackers to capture node. Even if the nodes are compromised by attackers, it cannot affect the entire network with AKMS.
Figure 5(a) shows the successful networking rate in the presence of 25 static attackers. In LOCK, the key updating is initiated only if the node-capturing rate reaches the Network Resilience Point (Nc). If a certain node in the network is attacked before the key updating, it will be further used by the attacker to destroy the rest of the nodes in the network. Therefore, the proportion of the mobile nodes will be decreasing rapidly. AKMS, however, is able to capture the key that is hidden before distribution or stored in each node in the cluster. Once these keys are captured, the attacker will further attempt to compromise more nodes until AKMS reinitiates the key updating. Since AKMS support mobility, the neighbors of any attacker may move to another cluster, so the performance of AKMS will be better than other schemes, especially in mobile WSN.
Figure 5(b) shows the successful networking rate in the presence of 25 mobile attackers. The attackers in the network are moving with different speed. Generally, the attacker with the maximum speed is able to attack the most nodes by moving from one to another cluster quickly and continuously launching attacks before being recognized and separated. Simulating results and analysis both indicate that the performance of AKMS is better than that of LOCK, SPINS, and BROSK, because AKMS can identify the malicious nodes and isolate them from the network at the same time.
Figure 5(c) shows the successful networking rate in the presence of 10 mobile and 15 static attackers. From the simulation it can be seen that the static attackers are able to be identified before the network becomes stable; the mobile attackers will attack by moving from one to another cluster. AKMS will perform better because of the mobility-support characteristics.
The resource-constrained essence of WSN makes the attack threat, security system, and algorithm quite different from those in traditional wireless network. In this paper, a lightweight authentication and key management protocol AKMS has been proposed for wireless sensor networks. It uses the symmetric cryptographic primitives with keyed-hash functions (HMAC) and bidirectional encryption algorithm to provide message confidentiality and authenticity for WSN and reduces the encryption overhead to the minimum as well with just a few bytes to be performed for once per authentication attempt. Simulation results show that the proposed scheme AKMS will provide more efficient security with less energy consumption, control overhead, and packet loss rate than other typical schemes, and the advantages will become remarkable with the number of nodes, attackers, and cycles increasing. Moreover, for the condition that there are mobile sensors in the network, the proposed scheme AKMS performs quite well compared to LOCK, SPINS, and BROSK. Future research will focus on the way to resist various attacks and robust routing in ubiquitous communication network.
|:||Master key in the whole network|
|:||Encryption key of node|
|:||Encryption of message with key|
|:||Message is hashed times without key|
|:||The th tuple of the th cycle authenticator|
|:||Hash of message|
|:||Virtual battery power|
|:||Message is hashed times with key|
|:||Hash of message with key (HMAC)|
|:||Authentication key of the th authentication cycle; that is, .|
The authors declare that they have no competing interests.
This work was supported by the National Natural Science Foundation of China (61302074, 61571181), Natural Science Foundation of Heilongjiang Province (QC2013C061), Modern Sensor Technology Research and Innovation Team Foundation of Heilongjiang Province (2012TD007), Postdoctoral Research Foundation of Heilongjiang Province (LBH-Q15121), and Postgraduate Innovation Research Foundation of Heilongjiang University (YJSCX2016-019HLJU).
S. Verma and Prachi, “Key pre-distribution scheme for WSNs,” Ad-Hoc and Sensor Wireless Networks, vol. 23, no. 1-2, pp. 47–67, 2014.View at: Google Scholar
S. Bag, “A new key predistribution scheme for grid-group deployment of wireless sensor networks,” Ad Hoc and Sensor Wireless Networks, vol. 27, no. 3-4, pp. 313–329, 2015.View at: Google Scholar
B. C. Lai, D. D. Hwang, S. P. Kim, and I. Verbauwhede, “Reducing radio energy consumption of key management protocols for wireless sensor networks,” in Proceedings of the ACM International Symposium on Low Power Electronics and Design (ISLPED '04), pp. 351–356, Newport Beach, Calif, USA, 2004.View at: Google Scholar
O. D. Mohatar, A. F. Sabater, and J. M. Sierra, “A light-weight authentication scheme for wireless sensor networks,” Ad Hoc Networks, vol. 9, no. 5, pp. 727–735, 2011.View at: Google Scholar
J. Rabaey and J. Ammer, “Distributed framework for correlated data gathering in sensor networks,” IEEE Transactions on Mobile Computing, vol. 57, no. 1, pp. 578–593, 2010.View at: Google Scholar
K. C. Egemen, B. Dan, and D. Amit, “Modelling communication network challenges for future internet resilience, survivability, and disruption tolerance: a simulation-based approach,” Telecommunication Systems, vol. 2, no. 6, pp. 751–768, 2013.View at: Google Scholar
H. Wang, J. Lai, M. Hu, and Y. Liang, “Research on key technologies for implementing network security situation awareness,” Geomatics and Information Science of Wuhan University, vol. 33, no. 10, pp. 995–998, 2008.View at: Google Scholar
D. Lucas and J. Joel, “A survey on cross-layer solutions for wireless sensor networks,” IEICE Transaction on Journal of Network and Computer Applications, vol. 5, no. 34, pp. 523–534, 2011.View at: Google Scholar
C. Wang, X.-Y. Shi, and Z.-H. Niu, “The research of the promotion for ECDSA algorithm based on Montgomery-form ECC,” Journal on Communications, vol. 31, no. 1, pp. 9–13, 2010.View at: Google Scholar
K. Okeya and K. Sakurai, “A scalar multiplication algorithm with recovery of the y-coordinate on the montgomery form and analysis of efficiency for elliptic curve cryptosystems,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 85, no. 1, pp. 84–93, 2002.View at: Google Scholar
G. Anastasi and M. Conti, “Data collection in sensor networks with data mules: an intergrade simulation analysis,” IEEE Symposium on Computers and Communications, vol. 3, no. 7, pp. 1096–1102, 2012.View at: Google Scholar